Español | English
rss facebook linkedin Twitter

New banking trojan 'Slave' hitting Polish Banks

We have spotted a new banking trojan in the wild that uses JSON formatted webinjects. After that so many Zeus-like webinjects around, this was kind of refreshing. Currently this banker only have targets in Poland. We are analyzing injects, as they are capable of using ATS.

The malware has a time check which prevents it from running after 1 of April 2015. Don't get fooled, the botmaster probably would issue an update command before that could happen, but this can render useless already "captured" samples that are circulating on the internet between researchers.

There are indications that the author used chromium source code to build the malware, hence we dubbed it "Slave":

One of the original filenames was Faktura V_388_02_20_2015.doc.scr, which pretty much sounds like if it was distributed via spam.

Some hashes:

If possible, we will show how ATS is working for this injection in an update.

For further info, please contact us: blog [at]

S21sec Ecrime


On October 2014, an investigation from the international police organization Interpol alerted of a new type of banking malware, called Tyupkin, that allowed criminals to gain full control of ATM machines, allowing them to steal huge amounts of money in cash without having to use a credit or debit card (see our blog post).

Far from being an isolated case, recent events show a boost on ATM targeted malware attacks, with a variety of attack vectors all sharing a common target, stealing huge amounts of cash directly from the bank, leaving their customers apart.

The hottest topic to date is the Carbanak APT (also known as Anunak), a sophisticated cyberattack affecting financial institutions in more than 30 countries with cumulative losses of up to 1 billion USD.

The attack vector consisted in compromising the victim’s network, by means of spear phishing emails that downloaded the malicious code which was later propagated to critical systems.

Having infected key users, attackers spied them to get detailed knowledge of internal working tools and procedures, to enable them to mimic their activities to perform fraudulent actions while remaining unnoticed by the bank’s fraud detection systems.

Although the criminals pursued multiple routes, one of the relevant targets was the control of the Automated Teller Machines (ATM) network.

ATM Network Control with Carbanak

Once the Carbanak APT successfully compromised the victim´s network, the attackers managed to gain access to the ATM management infrastructure and infect those systems with their own malicious software.

Although there might be more attack techniques not yet discovered, evidences of the following ATM targeted malware attacks have been found:
  1. Change Denomination of Withdrawal Banknotes
  2. The ATM was manipulated to modify the banknote denominations, allowing mules to withdraw more money than actually registered in the transaction.
    The attackers uploaded malicious scripts and modified the ATM operating system registry to change denominations of issued banknotes. As a result, a transaction for 10 notes with denomination of 100 roubles gave the attackers 10 notes with denomination of 5,000 roubles.

  1. Remote Withdrawal of Cash from Dispenser
The ATM network was used to dispense cash from certain ATMs at certain times where money mules were ready to collect it.

The attackers used a modified debug program that accepts commands to issue money from the dispenser. The original program only works when the ATM door is opened, but the tampered one ignored it.

The criminals were able to control computers that had access to the internal ATM network, using them to remotely issue cash withdrawal commands.

Based on these evidences we can say that the Carbanak campaign is a clear indicator of a new era in cybercrime in which criminals use APT techniques directly against the financial industry instead of through its customers. APTs are not only for stealing information anymore.

ATM Targeted Malware vs Lack of Security Measures

Malware attacks are one of the biggest concerns in ATM fraud since they are far less risky and much more profitable than traditional skimming or physical attacks.

The criminals are extremely agile and innovative in producing new types of malware to launch direct APT-like attacks against banks, but they are also helped by the very poor security of ATMs, still running old-fashioned Microsoft systems, and the weaknesses in the ATM infrastructure.

Every ATM is exposed to malware attacks and therefore applying strong security countermeasures is a must. An integrated security solution based on Application Whitelisting, Full Disk Encryption, HW Protection and File Protection, provides the most advanced and most effective countermeasure capability to stop this new generation of attacks.

In the case of the above mentioned attacks, Application Whitelisting would have avoided to run the script to change the banknote denominations, while File Protection would have prevented the attackers from replacing the ATM debug program binary.

S21sec Approach to ATM  Security

S21sec has extensive expertise in the development of solutions adapted to the needs of the banking industry. Its product Lookwise Device Manager helps to protect ATM networks from logical attacks by restricting its usage to only authorized hardware or processes, monitoring ATM activity, and allowing to execute remote actions.

S21sec also provides specialized and advanced security services for financial organizations.
We are members of ATMIA and ATEFI industry associations.


Juan Ramón Aramendía 
Lookwise Product Marketing Manager

Bulk spam campaign for Dalexis+CTB-Locker


In the last few days a bulk spam campaign has been detected distributing Dalexis malware downloader. Below this lines you will find a screenshot taken from one of the spam mails. 

Email attached files are compressed files with the extensions .zip or .cab. Whithin them there is a .scr file which once executed will display one of the following documents:

  • Document 1

  • Document 2

  • Document 3

This downloader is linked to the CTB-Locker ransomware. This crypto-malware ciphers files based on their extension, including: pdf, xls, ppt, txt, py, wb2, jpg, odb, dbf, md, js, pl, It is able to cipher files located both in local and mapped drives.

Once file ciphering is completed the following ransom message is shown:

The message will be localised depending on victim's location. Available languages are: Frech, English, Italian, German y Dutch. Cybercriminals include additional information to guide victim through the steps needed to pay the ransom.

Ransomware download is performed through a TOR request using getway attempting to avoid AV tools and proxies. Furthermore, the downloaded file is also ciphered and is deciphered by the downloader in order to run it.

Until now we have seen the following URLs within Dalexis samples:

•    hxxp[s]://
•    hxxp[s]://
•    hxxp[s]://
•    hxxp[s]://
•    hxxp[s]://
•    hxxp[s]://
•    hxxp[s]://
•    hxxp[s]://
•    hxxp[s]://
•    hxxp[s]://
•    hxxp[s]://
•    hxxp[s]://
•    hxxp[s]://
•    hxxp[s]://
•    hxxp[s]://
•    hxxp[s]://
•    hxxp[s]://
•    hxxp[s]://
•    hxxp[s]://
•    hxxp[s]://
•    hxxp[s]://
•    hxxp[s]://
•    hxxp[s]://
•    hxxp[s]://
•    hxxp[s]://
•    hxxp[s]://
•    hxxp[s]://
•    hxxp[s]://
•    hxxp[s]://
•    hxxp[s]://
•    hxxp[s]://
•    hxxp[s]://
•    hxxp[s]://
•    hxxp[s]://
•    hxxp[s]://
•    hxxp[s]://
•    hxxp[s]://

File recovery

CTB-Locker uses a custom elliptic curve ciphering based algorithm which warranties that files would be irrecoverable without the proper key.


As usual, prevention is the best countermeasure. Avoid opening unsolicited e-mail attached files and implement a proper  privilege policy for network shares.

In addition, you can mitigate the problem by blocking Dalexis URLs thus avoiding CTB-Locker download. S21sec's Automatic Malware Analysis Platform analyzes tens of thousands of samples daily. Information gathered from analyzed samples is feed into Lookwise Threat Intelligence solution which can be used for companies internal network threat detection.

TorrentLocker Campaign affecting Spain and Italy

Recently S21sec detected a very active ransomware campaign focused in Spain and Italy.  The malware of choice this time has been TorrentLocker,  and the means to trick the user into install the malware are a series of spam mails with a link to the malware.

Ransomware is a kind of threat that either blocks the desktop or encrypts the information contained in an infected device. In both cases the criminals demand a payment to restore the system,  usually for the payout the victim is required to purchase Bitcoins, Ukash tickets or any other non traceable currency.

During the last two years we have seen several threats sharing a similar approach on desktop computers but also they target mobile devices. Some examples are: CryptoLocker, Reventon, Netra, CryptoWall, Decode@india, TorLocker, Urausy…


TorrentLocker affects Microsoft Windows systems it is reminiscent, although only in appearance, of the infamous CryptoLocker. But when  the implementations are compared  substancial differences arose.

The main resemblance comes from the appropriation of the CrytoLocker name in the ransom note. This may be done to boost the blackmail intimidation effect with the name of a better known threat, also could be an attempt to hide several weakness on the earlier versions.


This ransomware encrypts all files belonging to any the following extensions stored in every mapped drive unit. This means that TorrentLocker will not encrypt the network shared folders unless they are mounted as a local drive, this applies as well to the recovery partitions.

After a successful infection TrorrentLocker tries to establish a TLS session with its C&C server, which in opposition to CryptoLocker that employed a DGA it is hardcoded in the binary, in order to obtain encryption key. If the communication with the C&C panel can not be performed no encryption will be performed at all.

Currently two versions of the malware have been reported, the main change among them lies in the encryption algorithm being used.

Early versions 

The first news of TorrentLocker original version date back to August 2014, when another spam campaign  impersonating the National Postal Service hit Australia.

This early version used a rudimental encryption routine that consist in applying a static XOR mask to the first 2 MB of the file (smaller than 2MB files would be fully encrypted). So if the victims had an unencrypted copy of a file bigger than 2 MB it was possible to retrieve the XOR key and restore the files using the following tool.

In our opinion,  maybe is due to this weak algorithm that the criminals choose to disguise themselves as CryptoLocker due to the dreadful reputation of the former trojan.

AES TorrentLocker

Is during the early December of 2014 when a new variant of the malware outbreaks. The new strain uses the AES (Advanced Encryption Standard), this change make more difficult to retrieve the files.

It is still possible to retrieve the files if just after the infection a file carving tool is used, Due to TorrentLocker does not deletes the files in a secure manner after encryption.

For a more in depth analysis you should consider to read the original work on the malware done by iSHIGHT Partners.


The initial reports about the spam campaign we are analyzing in this post reach us during the first two days of December. It was active until December 5th at 20:09 (GMT+1) when the C&C servers went dark and stop to show any activity.

Spam mails

Through the course of the campaign several mail templates were employed in order to trick the users to download the attached .zip files. We have identified that at least three different templates were used.

  • Mail 1 

  • Mail 2
  • Mail 3

The links served .zip files that once unzipped shown the following names:

  • Informe.Pdf_____________________________________________________________.exe
  • Perfil.Pdf _____________________________________________________________.exe
  • Processing.Pdf_____________________________________________________________.exe
  • Mensaje.pdf_____________________________________________________________.exe

Again a low tech but yet effective approach is taken in order to hide the file extension.


Is easy to spot that over 80% of the affected users are in Spain and Italy with little affectation in other countries. As a side an funny fact we found one affected computer in the Vatican State.

Additionally we have detected TorrentLocker campaigns targeting Turkey and Australia after the conclusion of the Spanish/Italian operation.


Due to its easy monetization and the relatively simple support infrastructure needed we are seeing a rising in the number of infections caused by some variety of ransomware.

In this cases prevention is the best defense for the user cause as we have seen recover the files can be extremely difficult once they have been cyphered. In corporative networks is important to control the access  and privilege level of shared resources such network accesible drives in order to confine the damages to just the infected device.

Dridex Learns New Trick: P2P over HTTP

After several months we finally got an answer for the question asked by our friend Roman on this post regarding the infamous Cridex/Feodo/Geodo/Dridex saga. Back then we witnessed the birth of a new Feodo variant baptized as Dridex and just few days ago S21sec's Ecrime department detected a new Dridex variant which incorporated noticeable changes.

The sample was detected by our Dridex botnet tracking system when it failed to automatically analyze the last binary update pushed by the C&C. We were surprised to find out that its version number was 2.0.17 (131089) a big leap forward, compared with those found on previous samples which we have seen growing steadily from 1.0.135 (65671) to 1.0.158 (65694).

Besides the ciphering of the config (which previously has always been in plain text), the change that immediately caught our attention was the presence of a new tag within the XML exchanged during trojan's communication with the C&C.

In the following picture we can see the reference to the new tag within sample's code:

Another important and noticeable change is that this new variant runs a built-in HTTP server which listens at port 80.

As you can see in the following Wireshark screenshot, peers use basic auth to connect with each other:

The bot notifies other peers of its existence by sending the following message:

Over the last three days, all the requests issued to this botnet resulted in an empty response, so we presume that since then it relays fully on P2P for botnet management and update.

We would like to remark that the P2P traffic is done over HTTP. We can only guess why trojan developers decided to do so, but on the basis that it is for sure neither  for performance nor for efficiency, we presume that the desired goal is to make it as stealthy as possible and at the same time rise the probability of peers being able to connect with each other by using the default HTTP port.

As long as we can see, updated configuration files target more than 120 entities from more than 20 countries,  including many from Southeast Asia, and targeting several sectors besides banking one such as: Online Digital Media, Online Hosting and Online Advertising.

As you can see, trojan developers keep improving their code and adding new features to hinder botnet tracking and shutdown. This time is has been Dridex, although we are noticing changes in other malware families which we hope to disclose in future posts.

S21sec Ecrime

The real danger of BadUSB

The last BlackHat USA conference presented a hack technique, BadUSB, that has recently gained much attention. Although not completely new, it does pose serious security vulnerability to  USB devices.

A BadUSB attack basically involves reprogramming a normal USB device (usually a pen drive based on a reprogrammable microcontroller with a well-known architecture) to act maliciously.

As pointed out in the BlackHat talk, using USB devices for malicious activities was already a widely-known technique. Examples include:
  1. Virtual CD-ROM Attacks through AutoRun using a U3 USB flash drive.
  2. Malicious keyboard attacks using Rubber Ducky or Teensy.

The creators of BadUSB also propose other interesting tactics. For instance, configuring a USB device to spoof an Ethernet network card and through the DHCP assign a new gateway or a new DNS server that can then intercept traffic.

All of these attacks pose a risk to your computer. But there are a number of security measures to prevent these threats.

The act of reprogramming a USB device to behave maliciously isn't new either. In 2013 a technique was presented for reprogramming Webcam firmware to disable the LED that shows that the camera is capturing pictures . The same paper mentions the possibility of using this firmware update to perform other malicious tasks.

But extending this technique to any USB device with updatable firmware is what makes this idea dangerous.

And what makes a BadUSB attack truly frightening is the possibility of combining these techniques and reprogramming several legitimate and apparently innocuous USB devices to create a combined attack.

These attacks also carry a series of difficulties when it comes to detection:
  1. Infection is more difficult to detect since the modified device is external to the main system.
  2. Some USB devices are portable and can therefore easily be used to spread infection.
  3. The infection remains even if the hard drive is formatted or the CPU is changed.
Some USB devices are internal (for example, the majority of webcams, SD card readers, smartcard readers, biometrics in new laptops), which makes it easier for hackers to maintain the infection.

By combining this technique with other types of devices we can find serious cyber-attack scenarios. An example is using a USB stick as the initial attack vector and a device that is permanently connected to the computer (such as a webcam or printer) as a persistent infection vector. For example: making the device detect when the computer is booting, becoming a bootable pen drive that loads a modified version of the operating system.

They could even be made to work in anti-forensic mode. The microcontroller can allow the device to function in its original state or erase itself after infecting the system.

It is likely that we'll shortly see real cases of the combined use of several infected devices of this type functioning as implanted devices like the ones listed in the NSA's ANT catalog.

Ramón Pinuaga
S21sec assessment

Train yourself as a professional in the field of industrial security

The European Agency for Network and Information Security (ENISA) in its 2011 report, ",”Protecting Industrial Control Systems. Recommendations for Europe and Member States", stated in its recommendation No. 4 the need to foster training and awareness on cyber security in industrial automation and control systems. In particular, this recommendation highlights the need for ongoing initiatives to be focused on standards and security best practices and to address, among others, crosscutting topics such as technology, security solutions, etc. It also recommends that guiding principles should be: i) to highlight particular aspects of different sectors; ii) avoid duplication with other similar initiatives; iii) ensure the quality of parties involved. Moreover, this recommendation identifies public agencies as potential leaders in this field.

In response to the needs identified by ENISA, INTECO has developed a MOOC course on cyber security in industrial automation and control systems. This initiative is one of the results of the measures identified in the Spanish Digital Trust Plan aiming at building an ecosystem for attracting and generating talent around INTECO, in collaboration with universities and the private sector and always looking the complementary action of other initiatives that are developing agents for the training of professionals.

Miguel Rego
Miguel Rego, INTECOs CEO

The course is primarily aimed at professionals of Information Technology (IT) with knowledge in the management of IT security, vulnerability analysis and security solutions (surely, if you're reading this publication, you have felt identified). Throughout the seven teaching units you will learn the fundamental concepts of industrial automation and control systems and infrastructures, and particularly the smart grid, including PLCs, RTUs, SCADA, MES, BATCH systems among others, as well as the fundamentals of cyber security that affect them. Aspects such as vulnerabilities, threats, risks, attack techniques, and the main good practices, principles of defense and ongoing security initiatives currently will be covered.

If you are already interested, here you can find the list of modules.


The course has been developed in collaboration with S21secLogitek and Tecnalia, companies of international reference in the field of automation and control systems security, of automation and control systems themselves, smart grids, as well as on existing security solutions. Moreover, thanks to the contribution of the Centre for Industrial Cybersecurity, the course counts with the collaboration of professionals like Ayman Al-Issa,Patrick Miller and Ruben Santamarta.

The course, free of charge, is rich and unique in Spain and is offered through the MOOC (Massive Open Online Courses) philosophy, which is, online, massive, and open to everyone. Under this paradigm, information sharing among the community of students and collaboration between them is key to overcome the course.

The course is available on the new training platform of INTECO, which is based on this new training paradigm. The advanced course in industrial cyber security will be the first of the many topics for which courses will be offered. If you decide to register, you must know that this platform provides you with educational resources such as presentations, video tutorials, downloadable documentation, self-assessment exercises, forums where to raise questions and learn with your future colleagues, spaces where you can create collaborative notes (wikis), and tools for collaborative correction (P2P) of evaluation exercises. Additionally, you will get reputation levels (karma) in the community based on your participation in spaces for interaction among students (i.e. Forum and wiki). Moreover, once passed the mandatory activities of the course, you will have a diploma certifying that you have overcome the course.

We believe this is a unique opportunity for you, so we encourage you to register on the platform and enroll in the course (on October 27, contents will be already available, and the registration deadline is November 3). You also see that this course is available in both Spanish and English, thus strengthening the international vocation of the training initiatives of INTECO. We hope it is to your liking and enjoy it as much as we enjoyed preparing it.

(+34 902 222 521)

24 hours a day, 7 days a week

© Copyright S21sec 2013 - All rights reserved